Documente Academic
Documente Profesional
Documente Cultură
Volume: 4 Issue: 3
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
Abstract: The computer forensic involve the protection, classification, taking out information and documents the evidence stored as data or
magnetically encoded information. But the organizations have an increasing amount of data from many sources like computing peripherals,
personal digital assistants (PDA), consumer electronic devices, computer systems, networking equipment and various types of media, among
other sources. To find similar kinds of evidences, crimes happened previously, the law enforcement officers, police forces and detective
agencies is time consuming and headache.
The main motive of this work is by combining a data mining techniques with computer forensic tools to get the data ready for analysis,
find crime patterns, understand the mind of the criminal, assist investigation agencies have to be one step ahead of the bad guys, to speed up the
process of solving crimes and carry out computer forensics analyses for criminal affairs.
Keywords-Digital Forensics, NTFS, MFT, PDA, MBR, Data mining, IDS
__________________________________________________*****_________________________________________________
I.
INTRODUCTION
Digital Forensics is the application of science to
identify, collect, examine, and analysis the data, while
preserving the integrity of the information and maintaining a
strict chain of custody for the data. Data contains the distinct
pieces of digital information that have been formatted in a
specific way. Organizations have an escalating amount of
data from many sources. For example, data can be
transferred or stored by standard networking equipment,
computer systems, computing peripherals, personal digital
assistant (PDA), consumer electronic device and different
types of media, enclosed by other sources.
Data is an important tool and weapon for companies, to
capture larger marketplace. Due to the importance of Data,
its security has become a major issue in the I.T. industry.
So the organization will have difficulty determining what
events have occurred within its systems and networks, such
as exposures of secured, sensitive data.
The law enforcement officer, detective agencies, police
departments having problem to solve this cases because of
the large volumes of crime-related data are existed. Due to
the crime-related complexity relationships, the widely used
methods of crime analysis are out-of-date that consume
many time and human resources. Moreover, these methods
are not able to obtain all influential parameters because of
their high amount of human interference, therefore, using an
intelligent and systematic approach for crime analysis more
than ever. Whereas, the data mining techniques can be the
key solution.
With the use of data mining techniques like clustering,
classification used to track, identify crimes, crimes patterns,
which have started helping the law enforcement officers and
detectives to speed up the process of solving crimes. Here
we will take an interdisciplinary approach between
computer science and criminal justice to develop a data
mining paradigm that can help solve crimes faster.
II.
LITERATURE SURVEY
Digital forensics is about finding evidence present in the
digital devices that is sufficiently reliable to stand up in
court and be convincing. Digital forensics mainly used to
preserve, identify, extract, and document the digital
evidence stored as data or magnetically encoded
information[8].
The process of acquiring, examining, and applying digital
evidence is crucial to the success of prosecuting a cybercriminal. With the continuous evolution of technology, it is
difficult for law enforcement and computer professionals to
stay one step ahead of technologically savvy criminals. To
effectively combat cyber-crime, greater emphasis must be
placed in the digital forensic field of study.
A. Steps for Digital Forensic
1) Assessment:
You must be able to distinguish between evidence
and junk data. For this, you should know what the data is,
where it is located, and how it is stored.
2) Acquisition:
The evidence you find must be preserved as close
as possible to its original state. Any changes made during
this phase must be documented and justified.
3) Authentication:
At least two copies are taken of the evidential
computer. One of these is sealed in the presence of the
computer owner and then placed in secure storage. This is
the master copy and it will only be opened for examination
under instruction from the court in the event of a challenge
to the evidence presented after forensic analysis on the
second copy.
4) Analysis:
The stored evidence must be analysed to extract the
useful information and recreate the chain of events.
17
IJRITCC | March 2016, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
5) Articulation:
The manner of presentation is important, and it
must be understandable to court effectively. It should remain
technically correct and credible. A good presenter can help
in this respect.
6) Archival:
After the case is closed seal the original evidence
and keeps it in secure storage place because it is a chance to
reopen the case after some time or years, then its required
to resubmit in court.
B. Types of Digital Forensic
1) Computer Forensic:
The core underlying principle within computer
forensics is preservation of data. Therefore, during all stages
of examination and analysis a forensic examiner will work
on duplicates of the original evidence rather than the
original.
Computer forensic used to preserve, identify, extract, and
document the evidence from the storage media. File
management systems or file systems is a part of operating
system which organize and locate sectors for file storage.
A computer system fundamentally has two sources of data
that are of interest to a forensic examiner: volatile and nonvolatile memory. Volatile memory primarily relates to the
main RAM of a computer, but also includes cache memory
and even register memory and the non-volatile memory does
not lost data when the system is switched off i.e. hard disk
[8].
2) File System Analysis:
File system analysis examines data in a volume (i.e., a
partition or disk) and interprets them as a file system. There
are many end results from this process, but examples
include listing the files in a directory, recovering deleted
content, and viewing the contents of a sector.
File systems provide a mechanism for users to store data in a
hierarchy of files and directories. A file system consists of
structural and user data that are organized such that the
computer knows where to find them [7].
a) Hidden Evidence Analysis in the File
System:Suspects
can hide their sensitive data in various areas of the file
system such as volume slack; file slack, bad clusters, deleted
file spaces.
i.
Hard Disk: The maintenance track/Protected Area
on ATA disks are used to hide information.
ii.
File System Tables: A file allocation table in FAT
and Master File Table (MFT) in NTFS are used to
keep track of files. MFT entries are manipulated to
hide vital and sensitive information.
b) File Deletion: file is removed from the table, by
that
making it appear that it does not exist anymore. The
clusters used by the deleted file are marked as being
free and can now be used to store other data. However,
even if the record is gone, the data may still reside in
the clusters of the hard disk. That data can be recovered
by calculating start and end of the file in hex format and
_______________________________________________________________________________________
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
of the file is created on the target partition. After the file has
been copied, the original file is then deleted. This process
also requires some housekeeping in the FAT or MFT tables.
A new entry is created in the table on the partition where it
has been copied, whereas the record for the deleted file is
removed from the table on its partition. When a file get
deleted, that space considered as free space, there also
criminal can hide sensitive information [6].
f)
_______________________________________________________________________________________
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
EMailTrackerPro analyses the header of an email to
detect the IP address of the machine that sent the message so
that the sender can be tracked down. It helps to track emails
to a country or region of the world, showing information on
a global map.
SmartWhoIs is a freeware network utility to look up all
the available information about an IP address, hostname or
domain, including country, state or province, city, name of
the network provider, administrator and technical support
contact information [10].
6) Web Forensics:
Web forensics deals with collecting critical
information related to a crime by exploring the browsing
history of a person, the number of times a website has been
visited, the duration of each visit, the files that have been
uploaded and downloaded from the visited website, the
cookies setup as part of the visit and other critical
information.
Mandiant Web Historian assists users in reviewing
web site URLs that are stored in the history files of the most
commonly used web browsers. It allows the forensic
examiner to determine what, when, where, and how the
intruders looked into the different sites [10].
Index.dat analyser is a forensic tool to view, examine
and delete the contents of index.dat files. The tool can be
used to simultaneously or individually view the cookies,
cache and browsing history. The tool provides support to
directly visit the website listed in the output of the analyser
and also to open the file uploaded to or downloaded from
the website.
7) Packet Sniffers:
A Sniffer is software that collects traffic flowing into
and out of a computer attached to a network [11]. Network
engineers, system administrators and security professionals
use sniffers to monitor and collect information about
different communications occurring over a network. Sniffers
are used as the main source for data collection in Intrusion
Detection Systems (IDS) to match packets against a rule set
designed to notify anything malicious or strange. Tools
Used Ethereal is an open source software and widely used as
a network packet analyser. It captures live network packets.
It displays the information in the headers of all the protocols
used in the transmission of the packets captured. Depending
on user needs it filters the packets.
WinPcap is the tool used for link-layer network access
in Windows. WinPcap includes a network statistics engine
and provides support for kernel-level packet filtering and
remote packet capture.
AirPcap can be used to capture the control frames
(ACK, RTS, CTS), management frames (Beacon, Probe
Requests and Responses, Authentication) and data frames of
the 802.11 traffic.
_______________________________________________________________________________________
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
If the attacker attacked Database login and Password steel
then we can say criminal motive for data theft/data change.
This maximum frequent item sets also shows attack patterns.
Finding other signs of evidence Correlation, contingences
(Consider these values while making rule sets).
6) Set SQL queries according to the rules.
7) Retrieve data.
1) Apriori Algorithm:
The Apriori algorithm is the most well-known
association rule algorithm and is used in most commercial
products. It uses the following property which we call large
itemset property.
Any subset of large itemset must be large.
for each Ii Ck do
if Ii tj then
ci = c i + 1 ;
for each Ii Ck do
if ci>= ( s * | D | ) do
Lk = Lk U Ii ;
L = L U Lk ;
Ck+1 = Apriori-Gen(Lk)
Until Ck+1 = ;
Algorithm Apriori-Gen :
Input :
Li-1 // Large itemsets of size i-1
Output :
Ci // Candidates of size i
Apriori-Gen Algorithm :
Ci = ;
for each I Li-1 do
for each J I Li-1 do
if i-2 of the elements in I and J are equal then
Ck = Ck U { I U J };
III.
PROPOSED SYSTEM
Our proposed system is the combination of a data
mining techniques and computer forensic tools. This helps
to organization to get the data ready for analysis, find crime
patterns, understand the mind of the criminal, assist
investigation agencies have to be one step ahead of the bad
guys, to speed up the process of solving crimes and carry
out computer forensics analyses for criminal proceedings.
With the use of data mining techniques we can track,
identify crimes, crimes patterns that helps to solve crimes
fast and digital forensics is the application of science to the
identification, collection, examination, and analysis of data
while preserving the integrity of the information.
These productive measures can be initiated to alert
administrator about similar kinds of attacks happened in
future for preventing upcoming cyber attack.
A. Block Diagram of Proposed System:
apply digital forensic methods
Digital Forensic
Analysis
Evidence
Forensic
Output
Data Mining
Algorithms
GUI
Output/Report
Figure 4: Block DiagramEvidence
21
_______________________________________________________________________________________
ISSN: 2321-8169
17 - 22
_______________________________________________________________________________________
Digital evidence or electronic evidence is
any probative information
stored
or
transmitted
in digital form Digital evidence includes information on
computers, audio files, video recordings, digital images,
emails, digital photographs, ATM transaction logs, word
processing documents, instant message histories,
spreadsheets, internet browser histories, databases, contents
of computer memory, computer backups, GPS tracks,
system logs this evidences must be essential in computer
and internet crimes.
1)
2)
IV.
CONCLUSION
REFERENCES
[1] Cheong Kai Wee, Analysis of Hidden Data in NTFS
File System,Edith Cowan University.
[2] Shyam Varan Nath, Crime Pattern Detection Using
Data Mining, Oracle Corporation.
[3] Hsinchun Chen, Wingyan Chung, Yi Qin, Michael Chau,
Jennifer Jie Xu, Gang Wang, Rong Zheng, Homa
Atabakhsh, Crime Data Mining: An Overview and Case
Studies, Proceeding of ACM Inter-national Conference,
Vol. 130, 2003, pp. 1-5.
[4] Chung-Hsien Yu, Max W. Ward, Melissa Morabito, Wei
Ding,
Crime Forecasting Using Data Mining
Techniques,University of Massachusetts Boston.
[5] Javad Hosseinkhani, Mohammad Koochakzaei, Solmaz
Keikhaee, Javid Hosseinkhani Naniz, Detecting
Suspicion Information on the Web Using Crime Data
Mining Techniques, International Journal of Advanced
Computer Science and Information Technology
(IJACSIT), Vol. 3, No. 1, 2014, Page: 32-41, ISSN:
2296-1739
[6] Mamoun Alazab, Sitalakshmi Venkatraman, Paul
Watters, Effective Digital Forensic Analysis of the
NTFS Disk Image, Ubiquitous Computing and
Communication Journal, Vol. 4, No. 3, 2009, pp. 551558.
[7] Brian Carrier, File System Forensic Analysis, Addison
Wesley Professional, ISBN: 0-32 126817-2.
[8] John R. Vacca, Computer Forensics: Computer Crime
Scene Investigation, Second Edition.ISBN: 1-58450389-0 ISBN-13: 978-1-58450-389-7
[9] Margaret H Dunham, Data Mining: Introductory and
Advanced Topics Publisher, Pearson Education, 2006.
[10] Natarajan Meghanathan, Sumanth Reddy Allam and
Loretta A. Moore, Tools And Techniques For Network
Forensics, International Journal of Network Security &
Its Applications (IJNSA), Vol .1, No.1, April 2009.
[11] Bruce J. Nikkel, Generalizing sources of live network
evidence, Whitepaper 2005.
[12] Karen Kent Suzanne Chevalier Tim Grance Hung Dang,
Guide to Integrating Forensic Techniques into Incident
Response, National Institute of Standards and
Technology Special Publication 800-86.
22
IJRITCC | March 2016, Available @ http://www.ijritcc.org
_______________________________________________________________________________________